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Abstract. The treewidth of control flow graphs arising from structured 
programs is known to be at most six. However, as a control flow graph 
is inherently directed, it makes sense to consider a measure of width for 
digraphs instead. We use the so-called DAG-width and show that the 
DAG-width of control flow graphs arising from structured (goto-free) 
programs is at most three. Additionally, we also give a linear time algo¬ 
rithm to compute the DAG decomposition of these control flow graphs. 
One consequence of this result is that parity games (and hence the fj.- 
calculus model checking problem), which are known to be tractable on 
graphs of bounded DAG-width, can be solved efficiently in practice on 
control flow graphs. 


1 Introduction 

Given a program P and a property tt, software verification concerns the problem 
of determining whether or not tt is satished in all possible executions of P. The 
problem can be formulated as an instance of the more general /r-calculus model 
checking problem. Under such a formulation, we specify the property tt as a ^- 
calculus formula and evaluate it on a model of the system under verification. The 
system is usually modeled as a state machine, like a kripke structure [3], where 
states are labeled with appropriate propositions of the property tt. For example, 
in the context of software systems, the control-flow graph of the program is the 
kripke structure. The states represent the basic blocks in the program and the 
transitions represent the flow of control between them. 

The complexity of the ^-calculus model checking problem is still unresolved: 
the problem is known to be in NP n co-NP , but a polynomial time algorithm 
has not been found. It is also known that the problem is equivalent to deciding 
a winner in parity games, a two-player game played on a directed graph. More 
precisely, given a model M and a formula (f>, we can construct a directed graph G 
on which the parity game is played m- Based on the winner of the game on G, we 
can determine whether or not the formula (j) satisfies the model M. Motivated by 
this development, parity games were extensively studied and efficient algorithms 
were found for special graph classes [SI ITUIIT^ . 
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For software model checking, the result for graphs of bounded treewidth [in] 
is of particular interest since the treewidth of control-flow graphs for structured 
(goto-free) programs is at most 6 and this is tight [12] ■ The proof comes with an 
associated tree decomposition (which is otherwise hard to find [3]). 

Obdrzalek m gave an algorithm for parity games on graphs of treewidth at 
most k. The algorithm runs in 0{n ■ k ■ ) time, where n is the number of 

vertices and d is the number of priorities in the game. For the /r-calculus model 
checking problem, the number of priorities d is equal to two plus the alternation 
depth of the formula, which in turn is at most m (the size of the formula). 

In practice both m and d are usually quite small. Since the treewidth of 
control-flow graphs is also small, Obdrzalek believed that his result should give 
better algorithms for software model checking. However, as pointed out in |5], the 
algorithm is far from practical due to the large factor of . For example, 

the parity game (and hence model checking with a single sub-formula) on a 
control-flow graph of treewidth 6 will have a running time of 0(n • d®®). Fearnley 
and Schewe [5] have improved the run time for bounded treewidth graphs to 
0{n ■ {k + 1)'=+® • {d + 1)®'=+®). This brings the run time to 0{n ■ 7^^ ■ (d + l)^®), 
which still seems impractical. In the same paper, they also present an improved 
result for graphs of DAG-width at most k, running in 0{n-M ■ • (d+1)®^+^) 

time. Here, M is the number of edges in the DAG decomposition; no bound 
better than M G 0(n^+^) is known. 

Contribution We observe that since treewidth is a measure for undirected graphs, 
explaining the structure of control-flow graphs via treewidth is overly pessimistic, 
and by ignoring the directional properties of edges we may be losing possibly 
helpful information. Moreover, software model checking could benefit from DAG- 
width based algorithms from m , if we can find a DAG decomposition of control- 
flow graphs with a small width and fewer edges. 

To this end, we show that the DAG-width of control-flow graphs arising 
from structured (goto-free) programs is at most 3. Moreover, we also give a 
linear time algorithm to find the associated DAG decomposition with a linear 
number of edges. Combining this with the results by Fearnley and Schewe [5], 
parity games on control-flow graphs (and hence model checking with a single 
sub-formula) can be solved in 0{n^ ■ 3^ • (d-f 1)^^) time. This is competitive with 
and probably more practical than the previous algorithms. 

From a graph-theoretic perspective, it is desirable for a digraph width mea¬ 
sure (see |12j for a brief survey) to be small on many interesting instances. The 
above result makes a case for DAG-width by demonstrating that there are ap¬ 
plication areas that benefit from efficient DAG-width based algorithms. 

Outline The remainder of the paper is organized as follows. Section [2] reviews 
notation and background material, especially the cops and robbers game and its 
relation to DAG-width. The proof of the DAG-width bound follows in Section |3| 
In SectionlU we discuss the algorithm to find the associated DAG decomposition. 
Finally, we conclude with Section [Sj 


2 Preliminaries 


2.1 Control-Flow Graphs 

Definition 1. The control-flow graph of a program P is a directed graph G = 
{V,E), where a vertex v G V represents a statement Sy G P and an edge 
(u, v) G E represents the flow of control from Sy to Sy under some execution 
of the program P. The vertices start and stop correspond to the first and last 
statements of the program, respectively. 

For the sake of having fewer vertices in G, most representations of control- 
flow graphs combine sequence of statements without any branching into a basic 
block. This is equivalent to contracting every edge (u, v) G E, such that the 
in-degree and out-degree of v is 1. Throughout the paper, we assume that the 
control-flow graphs are derived from structured (goto-free) programs. This is 
done because with unrestricted gotos any digraph could be a control-flow graph 
and so they have no special width properties. We can construct a control-flow 
graph of a structured program by parsing the program top-down and expanding 
it recursively depending on the control structures as shown in Figure[T](see [I] for 
more details). Following the same convention as [TB] , we note that the potential 
successors of a statement S in the program P are: 

— out, the succeeding statement or construct 

— exit, the exit point the nearest surrounding loop (break) 

— entry, the entry point of the nearest surrounding loop (continue) 

— stop, the end of program (return, exit) 


Definition 2 (Dominators). Let G be a control-flow graph and u,v GV. We 
say that u dominates v, if every directed path from start to v must go through 
u. Similarly, we say that u post-dominates v, if every directed path from v to 
stop must go through u. 

Definition 3 (Loop Element). For every loop construct such as do-while, 
foreach, we can construct an eguivalent representation as a loop element L, 
characterized by an entry point and an exit point See Figure \To\ . 

We note the following definitions and properties for loop elements: 

— We define inside{L) to be the set of vertices dominated by and not 

dominated by Quite naturally, we define outside{L) to be the set of 

vertices {V \ inside{L)). Note that G inside{L) but g outside{L). 

Moreover, if we ignore edges to stop, post-dominates vertices in inside{L) 

— For the purpose of simplification, we assume G to be enclosed in a hypo¬ 
thetical loop element L^. This is purely notational and we do not add extra 
vertices or edges to G. We have inside{L,p) = V and outside{L,p) = 0. 

— We say that a loop element Li is nested under L, iff g inside{L). Two 

distinct loop elements are either nested or have disjoint insides. 


start 




Fig. 1. Loop elements, (a) The abstract structure. Dashed edges must start in 
belongs{L). (b) Sample-code and the resulting control-flow graph. Backward edges are 
dash-dotted. inside{L) is shown dotted. 


— We can now associate every vertex of G to a loop element as follows. We say 

that a vertex v € V belongs to L if and only if L is the nearest loop element 
such that dominates v. More precisely, v € belongs{L) if and only if 

V G inside{L), and there exists no Li nested under L with v G inside{Li). 

— Every v G V belongs to exactly one loop element, start and stop (as well 
as any vertices outside all loops of the program) belong to 

— Finally, we say that a loop element Li is nested directly under L, iff G 
belongs{L). In other words, Li is nested under L and there exists no Lj 
nested under L such that Li is nested under Lj. 

We say that an edge (u, t) G E is a backward edge, if v dominates u; otherwise 
we call it a forward edge. The following observations will be crucial: 

Lemma 1. The backward edges are exactly those that lead from a vertex in 
belongs{L) to , for some loop element L. 

Corollary 1. Let C be a directed cycle for which all vertices are in inside{L) and 
at least one vertex is in belongs{L), for some loop element L. Then g C. 

2.2 Tree-width and DAG-width 

The treewidth, introduced in na, is a graph theoretic concept which measures 
tree-likeness of an undirected graph. We will not review the formal definition of 










treewidth here since we do not need it. Thorup m showed that every control- 
flow graph has a treewidth of at most 6. This implies that any control-flow graph 
has 0{n) edges. 

The DAG-width, introduced independently in mi], is a measure of how close 
a directed graph is to being a directed acyclic graph (DAG). Like the treewidth, 
it is defined via the best possible width of a so-called DAG-decomposition. We 
will review the formal definition in Section 01 

2.3 Cops and Robbers game 

The cops and robber game on a graph G is a two-player game in which k cops at¬ 
tempt to catch a robber. Most graph width measures have an equivalent charac¬ 
terization via a variant of the cops and robber game. For example, an undirected 
graph G has treewidth k if and only if fc -|- 1 cops can search G and successfully 
catch the robber M- 

The DAG-width relates to the following variant of the cops and robber game 
played on a directed graph G = (D, E): 

— The cop player controls k cops, which can occupy any of the k vertices in 
the graph. We denote this set as X where X € [D]-^. The robber player 
controls the robber which can occupy any vertex r. 

— A play in the game is a (finite or infinite) sequence (Aq, tq), (Ai, ri),..., (A^, rj) 
of positions taken by the cops and robbers. Ag = 0, i.e., the robber starts 
the game by choosing an initial position. 

~ In a transition in the play from (A^, r^) to (A^+i, ri+i), the cop player moves 
the cops not in (A^ n A^+i) to (A^+i \ Xi) with a helicopter. The robber 
can, however, see the helicopter landing and move at a great speed along 
a cop-free path to another vertex r^+i. More specifically, there must be a 
directed path from to r^+i in the digraph G \ {Xi n A^+i). 

— The play is winning for the cop player, if it terminates with (Xm,rm) such 
that rm € Xm- If the play is infinite, the robber player wins. 

— A (k-cop) strategy is a function / : \V]-^ xV ^ [D]-^. Put differently, the 
cops can see the robber when deciding where to move to. A play is consistent 
with strategy / if A^+i = f{Xi,r) for all i. 

Definition 4. (Monotone strategies) A strategy for the cop player is called cop- 
monotone, if in a play consistent with that strategy, the cops never visit a vertex 
again. More precisely, if v G Xi and v S Afc then v £ Xj, for all i < j < k. 

The following result is central to our proof: 

Theorem 1. [S] Lemma 15 and Theorem 16] A digraph G has DAG-width k 

if and only if the cop player has a cop-monotone winning strategy in the k-cops 
and robber game on G. 

Therefore, in order to prove that DAG-width of a graph G is at most k, 
it suffices to find a cop-monotone winning strategy for the cop player in the 



fc-cops and robber game on G. In the next section, we present such a strategy 
and argue its correctness. We will later (in Section 11 give a second proof, not 
using the fe-cops and robber game, of the DAG-width of control-flow graphs. 
As such. Section [3] is not required for our main result, but is a useful tool for 
gaining insight into the structure of control-flow graphs, and also provides a way 
of proving a lower bound on the DAG-width. 


3 Cops and Robbers on Control Flow Graphs 

Let G = (y, E) be the control flow graph of a structured program P. Recall that 
we characterize a loop element L by its entry and exit points and refer to it 
by the pair We now present the following strategy / for the cop 

player in the cops and robber game on G with three cops. 

1. We will throughout the game maintain that at this point X{1) occupies 
j^entry^ X(2) occupies and r G inside{L)^ for some loop element L. 

(In the hrst round L \= where is the hypothetical loop element that 
encloses G. Regardless of the initial position of the robber, r G inside{L^). 
The cops X{1) and X(2) are not used in the initial step.) 

2. Now we move the cops: 

(a) If r G belongs{L), move AT(3) to r. 

(b) Else, since r G inside{L), we must have r G inside{Li) for some loop Li 
directly nested under L. Move Ar(3) to 

3. Now the robber moves, say to r'. Note that r' G {inside{L) U {stop}) since 
r G inside{L) and A'(l) and X{2) block all paths from there to {outside{L) \ 
{stop}). 

4. One of four cases is possible: 

(a) r' = Ar(3). Then we have now caught the robber and we are done. 

(b) r' = stop. Move Ai(3) to stop and we will catch the robber in next move 
since the robber cannot leave stop. 

(c) r' G inside{Li), i.e., the robber stayed inside the same loop that it was 
before. Go to step 5. 

(d) r' G {inside{L) \ inside{Li)), i.e., the robber left the inside of the loop 
that it was in. Go back to step 2. 

5. We reach this case only if the robber r' is inside Li, and A'(3) had moved 
to in the step before. Thus cop Ai(3) now blocks movements of r' to 
{outside{Li) \ {stop}). We must do one more round before being able to 
recurse: 

(a) Move A"}!) to 

(b) The robber moves, say to r". By the above, r" G {inside{Li) U stop). 

(c) If r" = we have caught the robber. If r" = stop, we can catch 

the robber in the next move. 

(d) In all remaining cases, r" G inside{Li). Go back to step 1 with L := Lj, 
A:(2) as A:(3) and X{3) as A:(2). 


For a step-by-step annotated example, see Appendix!^ It should be intuitive 
that we make progress if we reach Step (5), since we have moved to a loop that 
is nested more deeply. It is much less obvious why we make progress if we reach 
4(a). To prove this, we introduce the notion of a distance function dist{v, 
which measures roughly the length of the longest path from v to except 

that we do not count vertices that are inside loops nested under L. Formally: 

Definition 5. Let L be a loop element of G and v G inside{L). Define dist(y^ 
maxp(|P n helongs{L)\), where P is a directed simple path from v to L™* that 
uses only vertices in inside{L) and does not use 

Lemma 2. When the robber moves from r to r' in step (3), then distir', p®“*) < 
distir^L™*). The inequality is strict if r G belongs{L) and r' ^ r. 

Proof. Let P be the directed path from r to r' along which the robber moves. 
Notice that p®"*®?/ ^ p since A(I) is on i®"*®!/. Let P' be the path that achieves 
the maximum in dist{r', L™*); by definition P' does not contain L®"*®!/. 

PUP' may contain directed cycles, but if C is such a cycle then no vertices of 
C are in belongs{L) by Corollary[T] So if we let Pg be what remains of PUP' after 
removing all directed cycles then Pg fl belongs{L) = (PU P') fl belongs{L). Since 
Pg is a simple directed path from r to L®“* that does not use L®"*®^^ therefore 
dist{r, > |Ps n belongs{L)\ > \P' fl belongs{L)\ = dist{r', as desired. 

If r' ^ r, then P' cannot possibly include r while Pg does, and so if additionally 
r G belongs{L) then the inequality is strict. 

Lemma 3. The strategy f is winning. 

Proof. Clearly the claim holds if the robber ever moves to stop, so assume this 
is not the case. Recall that at all times the strategy maintains a loop L such 
that two of the cops are at L®"*®^ and L®^®*. We do an induction on the number 
of loops that are nested in L. 

So assume first that no loops are nested inside L. Then inside{L) = belongs{L), 
and by Lemma[2]the distance of the robber to L®“* steadily decreases since A(3) 
always moves onto the robber, forcing it to relocate. Eventually the robber must 
get caught. 

For the induction step, assume that there are loops nested inside L. If we 
ever reach step (5) in the strategy, then the enclosing loop L is changed to Li, 
which is inside L and hence has fewer loops inside and we are done by induction. 
But we must reach step (5) eventually (or catch the robber directly), because 
with every execution of (3) the robber gets closer to L®^®b 

— If r € belongs{L), then this follows directly from Lemma[5]since A(3) moves 
onto r and forces it to move. 

— If r € inside{Li), and we did not reach step (5), then r must have left Li 

using L®“b Notice that dist{ri, L®“‘) due to our choice of 

distance-function. Also notice that L®“‘ g belongs{L) since Li was directly 
nested under L. We can hence view the robber as having moved to L®^®‘ 
(which keeps the distance the same) and then to the new position (which 
strictly decreases the distance by Lemma [2] to L®“‘). □ 


Lemma 4. The strategy f is cop-monotone. 

Proof. We must show that the cops do not re-visit a previously visited vertex at 
any step of the strategy /. We note that since stop is a sink in G and the cops 
move to stop only if the robber was already there, it will never be visited again. 
Now the only steps which we need to verify are (2) and (5a). 

Observe that while we continue in step (2), the cops X(l) and X{2) al¬ 
ways stay at and respectively, and X{3) always stays at a vertex 

in belongs{L). (This holds because Li was chosen to be nested directly under 
L in Case (2b), so € belongs{L).) Also notice that dzst(A(3), = 

dist{r, for as long as we stay in step (2), because vertices in inside{Li) 

do not count towards the distance. In the previous proof we saw that the dis¬ 
tance of the robber to strictly decreases while we continue in step (2). So 
dist{X(3), also strictly decreases while we stay in step (2), and so A(3) 

never re-visits a vertex. 

During step (5), the cops move to and L®“* and from then on will only 

be at vertices in inside{Li)U{Lf^^*}. Previously cops were only in belongs{L) or in 
outside{L). These two sets intersect only in L®”*, which is occupied throughout 
the transition by A(3) (later renamed to X{2)). Hence no cop can re-visit a 
vertex and the strategy / is cop-monotone. □ 

With this, we have shown that the DAG-width is at most 3. This is tight. 
Lemma 5. The exists a control-flow graph that has DAG-width at least 3. 

Proof. By Theorem [TJ it suffices to show that the robber player has a winning 
strategy against two cops. We use the graph from Fig. [5^ and the following 
strategy: 

1. Start on vertex 5. We maintain the invariant that at this point the robber 
is at 5 or 6, and there is at most one cop on vertices {5,6, 7,8}. This holds 
initially when the cops have not been placed yet. 

2. If (after the next helicopter-landing) there will still be at most one cop in 
{5,6,7, 8}, then move such that afterwards the robber is again at 5 or 6. 
(Then return to (1).) The robber can always get to one of {5, 6} as follows: 
If no cop comes to where the robber is now, then stay stationary. If one does, 
then get to the other position using cycle 5 —>■ 6 —> 7 —> 5; this cannot be 
blocked since one cop is moving to the robbers position and only one cop is 
in {5,6, 7,8} afterwards. 

3. If (after the next helicopter-landing) both cops will be in {5,6, 7,8}, then 
“flee” to vertex 9 along the directed path {5or6}—>-8—)-l—>-2—>-9. 

4. Repeat the above steps with positions {9,10}, cycle {9,10,11} and escape 
path {9orl0}—:>12—>-1—>-2—J>5 symmetrically. 

Thus the robber can evade capture forever by toggling between the two loop 
elements Li and L 2 and hence has a winning strategy. □ 

In summary: 

Theorem 2. The DAG-width of control-flow graphs is at most 3 and this is 
tight for some control-flow graphs. 




Fig. 2. The robber player has a winning strategy on G against two cops 


4 Computing the DAG decomposition 

We already showed that control-flow graphs have DAG-width at most 3 (The¬ 
orem [I. In this section we show how we can construct an associated DAG 
decomposition with few edges. 

4.1 DAG-width 

We first state precise definition of DAG-width, for which we need the following 
notation. For a directed acyclic graph (DAG) D, use u :<d v to denote that 
there is a directed path from it to u in D. 

Definition 6 (DAG Decomposition). Let G = {V,E) be a direeted graph. 
A DAG decomposition of G consists of a DAG D and an assignment of hags 
Xi CV to every node i of D such that: 

1. (Vertices covered) [jXi = V. 

2. (Connectivity) For any i Fd k Fjj j we have Xi n Xj C X^. 

3. (Edges covered) 

(a) For any source j in D, any u S Xj, and any edge {u,v) in G, there 
exists a successor bag Xk of Xj with v G Xk ■ 

(b) For every arc {i,j) ^^2/ u G {Xj \ Xi), and any edge {u,v) in G, 

there exists a successor-bag Xk of Xj with v G Xk- 

Here a successor-bag of Xj is a bag Xk with j k. 

Note that for the ease of understanding we have rephrased the edge-covering 
condition of the original in [5]. (Appendix [B] proves the equivalence.) 




























4.2 Constructing a DAG decomposition 

While we already know that the DAG-width of control-flow graphs is at most 
3, we do not know the DAG-decomposition and its number of edges M that is 
needed for the runtime for [8] . There is a method to get the DAG decomposition 
from a winning strategy for the fc-cops and robber game [3, but it only shows 
M € We now construct a DAG decomposition for control-flow graphs 

directly. Most importantly, it has M G 0{n) edges, thereby making [5] even 
more efficient for control-flow graphs. 

Let G = (D, E) be a control-flow graph. We present the following algorithm 
to construct a DAG decomposition {D,X) of G. 

Algorithm 1 (Construct the DAG). 

1. Start with D = G. That is V{D) = V and E{D) = E. 

2. Remove all backward arcs. Thus, let Ef. be all backward edges of G; recall 

that each of them connects from a node v G helongs{L) to for some 

loop element L. Remove all arcs corresponding to edges in Ee from D. 

3. Remove all arcs leading to a loop-exit. Thus, let E^ be all edges {u,v) in G 
such that u € belongs{L) and v = for some loop element L. Recall that 
these arcs are attributed to break statements. Remove all arcs corresponding 
to edges in E^ from D. 

4. Re-route all arcs leading to a loop-entry. Thus, let Em be all edges (u, v) in G 

such that u G outside{L) \ and v = for some loop element L. For 

each such edge, remove the corresponding edge in D and replace it by an arc 
(u, Let Am be those re-routed arcs. Note that now indegjj{L'^'^^'"y) = 0 

since we also removed all backward edges. 

5. Reverse all arcs surrounding a loop. Thus, let Er be the edges in G of the 

form some loop element L. For each edge, reverse the cor¬ 

responding arc in D. Let Ar be the resulting arcs. 

Note that there is a bijective mapping V from the vertices in G to the nodes 
in D. For ease of representation, assume that ui,U 2 ,..,Wri are the vertices of G 
and 1, 2,.., n are the corresponding nodes in D. We now fill the bags Xi: 

For every vertex Vi G V, set Xi := {ui, where L is the 

loop element such that Vi G belongs{L). 

A sample decomposition is shown in Figure [?bl Glearly the construction can 
be done in linear time and digraph D has 0(|£’|) = 0{n) edges. One easily 
verifies the following: 

Observation 1. For every arc {i,j) G ^{^)t \Xi = Vj. 

It remains to show that {D,X) is a valid DAG decomposition. 

1. D is a DAG. We claim that G — E^ is acyclic. For if it contained a directed 
cycle G, then let L be a loop element with G C inside{L), but G 2 inside{Li) 


for any loop element Li nested under L. Therefore C contains a vertex of 
belongs{L). By Corollary [T] then belongs to C, so C contains a back¬ 

ward edge. This is impossible since we delete the backward edges. 

Adding arcs Am cannot create a cycle since each arc in it is a shortcut for 
the 2-edge path from outside L to to T®“b In G — Ee — there is no 

directed path from L®"*’'?/ to L®”*, since such a path would reside inside T, 
and the last edge of it belongs to E^ ■ In consequence adding arcs Ar cannot 
create a cycle either. Hence D is acyclic. 

2. Vertices Covered. By dehnition each Vi is contained in its bag Xi. 

3. Connectivity. Let i :<d k j be three nodes in D. Recall that their three 

bags are A.""*"'', {ufc, ^r‘} and {u,, where 


Li, Lj, Lk are the loop elements to which Vi, vj, Vk belong. Nothing is to show 
unless Xi n Xj ^ 0, which severely restricts the possibilities: 

(a) Assume first that Li = Lj = L. Thus Vi and Vj belong to the same loop 
element, and by the directed path between them, so does k. So the claim 
holds since A, n X^ = 

If Li ^ Lj, then the intersection can be non-empty only if Vi = L®^®‘ 


(b) 


(recall that i :<d j)- But then Xi n Xj = and the path from 


to to j. It follows that Vk also 


i to j must go from 
belongs to Lj and so € Xk and the condition holds. 

4. Edges Covered. We only show the second condition; the first one is similar 
and easier since start is the only source. Let {i,j) be an arc in D. By 
Observation [U Vj is the only possible vertex in Xj \ Xi. Let e = {vj,vi) be 
an edge of G. We have the following cases: 

(a) If e G {EeUE,,UEr), then vi G L®“*} and Xj = {uj, 

itself can serve as the required successor-bag. 

(b) If e G Em, then vi = G outside{L). We re-routed (uj, 

as arc {j,V{L^^^*) and later added an arc (^(L®”*), so / is a 

successor of j and Xi can serve as the required successor-bag. 

(c) Finally, if e G if \ {E^ U Ex U if^ U Em), then (j, 1) is an arc in D and Xi 
is the required successor-bag. 


We conclude: 


Theorem 3. Every control-flow graph G = (V, E) has a DAG decomposition of 
width 3 with 0(|V|) vertices and edges. It can he found in linear time. 


5 Conclusion 

In this paper, we showed that control-flow graphs have DAG-width at most 3. 
Our proof comes with a linear-time algorithm to find such a DAG decomposition, 
and it has linear size. Since algorithms that are tailored to small DAG-width are 
typically exponential in the DAG-width, this should improve the run time of 
such algorithms for control-flow graphs. The specific application that motivated 
this paper was the DAG-width based algorithm for parity games from [8] ; using 


our DAG decomposition should turn this into a more practical algorithm for 
software model checking. (See Appendix ICl for more details). The run-time is 
still rather slow for large n. One natural open problem is hence to develop 
even faster algorithms for parity games on digraphs that come from control flow 
graphs. Our simple DAG-decomposition that is directly derived from the control 
flow graph might be helpful here. 

Our result also opens directions for future research in other related applica¬ 
tion areas. For example, can we use the small DAG-width of control-flow graphs 
for faster analysis of the worst-case execution time (which is essentially a variant 
of the longest-path problem)? 
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A Additional Examples 

Example 1. Winning strategy f from Section\^ applied on graph in Figure 

We will refer to the vertices by their indices. Suppose that the initial position 
of the robber is vertex 0, and the robber plays a lazy strategy, that is, he stays 
where he is unless a cop comes there, otherwise, he moves to the closest cop-free 
vertex. Then, the following two sequences of positions are possible. Note that 
the labels on the transitions represent the corresponding steps of the strategy / 
whereas X{i) = cj) indicates that the cop X{i) was not used. 

I. ^ ^ ({<^,0,0},!) ^ (W,<^,3},1) ^ ({!,</>, 3}, 2) 

^ ({1,3,2},9) ^ ({1,3,12},9) ^ ({9,3,12}, 10) ^ ({9,12,10}, 11) 
({9,12,11}, 11) stop 

11. ^ ({</>, </>,</>},0) ^ ({<^,<^,0},!) ^ ({</>,</>, 3}, 1) ^ ({!,</>, 3}, 2) 
^ ({1,3,2}, 5) ^ ({1,3,8}, 5) ^ ({5,3,8}, 6) ^ ({5,8,6}, 7) 

({5,8,7}, 7)^ stop 

B Properties of DAG-width 

We aim to show that our edge-covering condition is equivalent to the one given 
by Berwanger et al. [^. We hrst review their concepts. 

Definition 7 (Guarding). Let G = {V,E) be a digraph and W,V' C V. We 
say that W guards V if, for all (m, v) € E, if u G V then v gV U W. 

The original edge-covering condition was the following: 

(D3) For all edges {d, d') G E{D), Xd n Xd' guards X^d' \ Xd, where 
Xyd' stands for [^d'^od" ^d"- For any source d, X^d is guarded by 0. 

For easier comparison we re-state here our edge-covering condition: 

(3a) For any edge {i,j) in E{D), any vertex u G Xj \ Xi, and any 
edge {u, v) in G, there exists a successor-bag Xk of Xj that contains v. 

(3b) For source j in D, any vertex u G Xj, and any edge (u, v) in G, 
there exists a successor-bag Xk of Xj that contains v. 

We will only show that the first half of (D3) is equivalent to (3a); one can 
similarly show that the second half of (D3) is equivalent to (3b). We first re¬ 
phrase (D3) partially by switching to our notation, and partially by inserting 
the definition of guarding; clearly (D3’) is equivalent to the first half of (D3). 

(D3’) For any edge {i,j) in E{D), any vertex u G X^j \ Xi and any 
edge (it, v) in G, we have v G X^j U (W FXj). 


















But Xi n Xj C Xj C X-^j , so we can immediately simplify this again to the 
following equivalent: 

(D3”) For any edge (*, j) in E{D), any vertex u € X^j \ Xi and any 
edge {u,v) in G, we have v G Xyj. 

At the other end, we can also simplify (3a), since we now have the shortcut Xyj 
for vertices in a successor-bag of Xj. 

(3a’) For any edge {i,j) in E{D), any vertex u € Xj\ Xi, and any 
edge {u,v) in G, we have v G X^j. 

Thus (D3”) and (3a’) state nearly the same thing, except that for (D3”) the 
claim must hold for significantly more vertices u. As such, (D3”)=>(3a’) is trivial 
since Xj \ C X'^j \ Xi. 

For the other direction, we need to work a little harder. Assume (3a’) holds. 
To show (D3”), fix one such choice of edge {i,j) in E{D) and (u,v) in E{G) 
with u G X)^j \ Xi- We show that v G Xyj using induction one the number of 
successors of j in D. If there are none, then Xyj = Xj and (D3”) holds since 
(3a’) does. Likewise (D3”) holds if u G Xj \ Xi since (3a’) holds. This leaves 
the case where u G {Xyj \Xj). Thus u belongs to some strict successor bag of 
Xj, and hence there exists an arc (j, k) with u G {X^k \ X^i)- Node k has fewer 
successors than j, and so by induction (D3”) holds for edge {j,k). We know 
u G (X^fe \ Xi) and u ^ Xj\ Xi, so u G (X^^ \ Xj). So applying (D3”) we know 
V G Xyk C X^j and hence (D3”) also holds for edge {i,j). 


C Application to Software Model Checking 


In this section we will discuss how exactly the DAG-width based algorithm 
from [8] for solving parity games is used for software model checking (which 
is essentially the /r-calculus model checking problem on control-flow graphs). 
We start with briefly discussing the modal /r-calculus, parity games and how 
to convert the p,-calculus model checking problem to the problem of finding a 
winner in parity games. 

C.l Parity Game 

A parity game Q consists of a directed graph G = (G, E) called game graph and 
a parity function A : —>■ N (called priority) that assigns a natural number to 
every vertex of G. 

The game Q is played between two players Pq and Pi who move a shared 
token along the edges of the graph G. The vertices Vq C V and Vi = V \ Vo are 
assumed to be owned by Pq and Pi respectively. If the token is currently on a 
vertex in Vi (for i = 0,1)) then player Pi gets to move the token, and moves it to 
a successor of his choice. This results in a possibly infinite sequence of vertices 
called play. If the play is finite, the player who is unable to move loses the game. 
If the play is infinite, Pq wins the game if the largest occurring priority is even, 
otherwise Pi wins. 

A solution for the parity game 1/ is a partitioning of V into and ^ 
which are respectively the vertices from which Pq and Pi have a winning strategy. 
Clearly, and should be disjoint. 

C.2 Modal /x-calculus 

The modal ^-calculus (see [15] for a good introduction) is a fixed-point logic 
comprising a set of formulas defined by the following syntax: 

()>■.:= X \(t)i ^ <1)2 \(j)i\/ (t>2\ [•]<() I (•)'/' I I 

Here, X is the set of propositional variables, and v, p are maximal and mini¬ 
mal fixed-point operators respectively. The alternation depth of a formula is the 
number of syntactic alternations between the maximal fixed-point operator, i/, 
and the minimal fixed-point operator, p. 

Given a formula we say that a /r-calculus formula "0 is a subformula of </>, 
if we can obtain i/; from </> by recursively decomposing as per the above syntax. 
For example, the formula vX{P/\X) has four subformulas: vX{P/\X), (PAX), 
P and X. The size of a formula is the number of its subformulas. 

C.3 /x-calculus Model Checking to Parity Games 

A model M = {S, T) is represented as a digraph with the set of states S as 
vertices and the transitions T as edges. The p-calculus model checking problem 


consists of testing whether a given modal-^-calculus formula (j> applies to M. As 
mentioned earlier, given M and there exists a way to construct a parity game 
instance Q = (G, A) such that (p applies if and only if the parity game can be 
solved. See e.g. mn We note the following relevant points of this transformation; 

1. Let Sub{(j)) be the set of all subformulas of p and m = |5'u6((^)| be the size 
of the formula p. For every ijj G Sub{(l)) and s G S we create a vertex (s, -ip) 
in G. Therefore, |1^(G)| = m ■ 151. 

2. For every s G S, let 14 C V{G) be the set of vertices of G {(s,'*/’) ■ 4’ G 
Sub{(j))}. Clearly, |14| = m. It holds that for any s,t G S, there is an edge 
between any two vertices u G Vs and u € 14 of G only if (s, t) G T. 

3. The number of priorities d in ^ is equal to the alternation depth of the 
formula p plus two. That is, for a /r-calculus formula with no fixed-point 
operators, the number of priorities is at least 2. 

C.4 /i-calculus Model Checking on Control Flow Graphs 

Recall that given a /i-calculus formula of length m and a control-flow graph 
G = {V,E), we can create a parity game graph G' with m ■ \V\ vertices. Now, 
we can use either of the treewidth or DAG-width based algorithms from [8] for 
solving the parity game on G'. We discuss them individually. 

Treewidth based algorithm Recall that this runs in 0(|1A| • (fc-l-• (d-|- 
time where k is the treewidth of the game graph G'. Using Thorup’s result m 
we can obtain a tree decomposition (T, X) of G with width at most 6. This 
means that each bag of the tree decomposition contains at most 7 vertices. 
Using Observation 11.21 we can now obtain a tree decomposition {T\X') for G' 
from (T, X) by replacing every s S A4 by 14, for all Xi G X. Note that the width 
of T' will be 7 • m — 1. 

DAG-width based algorithm This runs in 0{\V\-M time where 

k is the DAG-width of the game graph G' and M is the number of edges in the 
DAG decomposition. Using our main result (Theorem 1^, we can obtain a DAG 
decomposition {D,X) of width 3 and M G 0(|U|). As in the previous case, we 
can obtain a DAG decomposition of G' from {D,X) by replacing every s G Xi 
with 14, for all Xi G X. Note that this will have width 3 • m and M G 0(|U|). 

We can see that even for the smallest possible values m = 1 and d = 2, the 
treewidth based algorithm runs in 0(|U| • 7^^ • 3^^) = 0(|U| • 10^°) time. For 
the same values, the DAG-width based algorithm runs in 0(|Up • 3^ • 3^^) = 
0(|Up • 10^), which is better unless \V\ > 10^^. Of course the actual run-times 
may be influenced by the constants hidden behind the asymptotic notations, but 
it is fair to assume that the DAG-width based algorithm will be faster for most 
practical scenarios, especially as m and d increase. 

^ Alternatively, see pages 20-23: Obdrzalek, Jan. Algorithmic analysis of parity games. 
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